Method and communication system for safe route control

ABSTRACT

In a communication system and an associated method for the secured control of a route followed by a vehicle running in an approach area of a moving area, the moving area is preceded by a closing signaling provided on the ground and adapted for informing the vehicle to stop. A safety timing is determined by a ground control unit for ensuring that the vehicle stops before entering the moving area. In parallel with the closing signaling, an information request from the ground control unit is transmitted to a control safety unit. The onboard control safety unit or an associated evaluation module evaluates the braking capacity of the vehicle and encodes the same into information requested by the ground control unit and then fed back to the ground control unit. Depending on the information state, the ground control unit minimizes the safety timing or even cancels the same completely.

The present invention concerns a method and a communication system for safe route control according to the pre-characterising clause of claims 1 and 8.

Said safe route control is aimed at, in particular, public transport vehicles moving along a route such as a railway transport unit, an underground train, a tramway, a trolley bus, a bus, etc. The invention is equally suited to a type of vehicle for which guidance can be performed in a completely autonomous manner by a driver in the vehicle. This is the case, for example, for a vehicle managed by an automatic guidance system on a route equipped with an automatic guidance control (rail transport) interfaced with signalling such as the standard CBTC (=Communication-Based Train Control) type. By extension however, without restriction to this type of vehicle, the term “train” could be commonly used in the remainder of the document, without omitting, however, all of the types of vehicles listed above.

Classically in railway transport signalling, a safe control logic for the emergency destruction of a route allows for, outside nominal operating modes, the destruction of a route whilst preserving the safety of the system. A safe control logic of said train for the emergency destruction of a route enabled [sic] This logic is based on a static definition of parameters required for its correct operation. These parameters are designed to be compatible with the worst case of trains running on an area known as a “maneuvering” area, on which the risk of collisions is to be taken into account, of a switching manoeuvre under the train, and therefore being rendered unable to run.

Currently, a method for the safe control of a route traveled by a vehicle running on an approach area of a maneuvering area is known, for which:

-   -   the maneuvering area is preceded by a closing signal positioned         on the ground (traffic lights at the junction of the approach         area and the maneuvering area) and adapted to instruct the         vehicle to stop,     -   a fixed safety time delay is sufficiently calculated         (sufficiently long in terms of duration of approach) by a         control unit on the ground to guarantee that the vehicle stops         before it crosses the maneuvering area.

The safety time delay is thus designed to be long, in order that the worse case (collision, derailment) be avoided regardless of the type or characteristics of the approach of the vehicle, even if the latter was inevitably not able to stop at a boundary of the approach area. In other terms, this fixed time delay proves to be significantly long even though the safety technology of trains has improved over the years. This causes trains to stop for long periods and therefore holds up the traffic for an excessive amount of time.

The principle of the aforementioned control logic is thus based on classic signalling for which the safety of the manual “destruction” of a route (maneuvering area to be destroyed to prevent it from being crossed) rests on the safety time delay and possibly on a signal confirming the presence of a train on the approach area associated with a stop signal (red traffic lights, motor circuit breaker, etc.). The route is destroyed following a possible sequence according to which:

1—upon the receipt of a (remote) controlled route destruction request originating from the control unit on the ground, the stop signal on the ground is closed; 2—the safety time delay is initialised and the route (maneuvering area) is destroyed after the former has elapsed.

The principle of this logic is that upon the closure of the stop signal, the driver or an on-board automatic guidance control on approach of this signal must activate the braking system to stop the train and do its best to respect the signal.

At the end of the safety time delay, there are two possible scenarios:

1—The train successfully stopped before the signal and can no longer cross the signal (closed signal respected). The destruction of the route (maneuvering area) can therefore be carried out in complete safety. 2—The train was not able to stop upstream of the signal but it is therefore protected from a collision or a derailment on the maneuvering area, either by triggering a switch which locks the latter and prevents any other train from travelling the same maneuvering area, or because the train has crossed the entire maneuvering area and it is no longer affected by the destruction of the route.

Calculation of the safety time delay guarantees that a train approaching the signal which is closing in front of the former will be stopped after said time delay has elapsed. This calculation, in order to guarantee the safety of the function, will take into account the longest stopping time of the different types of train running on this area at the maximum authorised speed (the time depends on the maximum potential and kinetic energy of an approaching train and of its braking capacity).

For these reasons, one of the aims of the present invention is therefore to reduce the time required for the emergency destruction of the route in the maneuvering area whilst guaranteeing safety.

One advantageous solution in the form of the method and in the form of the system is thus proposed through independent claims 1 and 8.

More specifically, a method for the safe control of a route traveled by a vehicle running on an approach area of a maneuvering area is proposed, for which:

-   -   the maneuvering area is preceded by a closing signal positioned         on the ground and adapted to instruct the vehicle to stop,     -   a safety time delay is calculated by a control unit on the         ground to guarantee that the vehicle stops before crossing the         maneuvering area,     -   in parallel with the closing signalling, a request for         information coming from the control unit on the ground is         transmitted to a safety control unit on-board the vehicle,     -   the on-board safety control unit or an associated evaluation         module assesses the braking capacity of the vehicle on the basis         of an energy balance related to the kinetics of the vehicle and         the code (binary for example) in information required by the         control unit on the ground, then transmitted back to the control         unit on the ground,     -   depending on the status of the information, the control unit on         the ground minimises the safety time delay, or even cancels the         latter completely if the status of the information ensures a         clearly permissive status of vehicle stoppage outside the         maneuvering area.

An embodiment of the invention thus described therefore anticipates that following manual emergency control of the destruction of the route issued from a closing signal or from a control unit on the ground, the dynamic parameters of the train are taken into account, or even also transmitted between the train and the ground, in particular, the parameters related to the determination of a physical stopping distance which are encoded using binary code (in the required information) in order to be able to compare it to an acceptable stopping distance or a binary decision module (at the level of the control unit on the ground). If the binary coded distance is less than the acceptable distance, the safety time delay can even be cancelled completely.

Thus linear coding can therefore be equally envisaged so as to transmit more gradual signals like metric distances resulting in, in any case, the evaluation of whether the initial safe time delay can be decreased or even cancelled. This aspect thus allows for the fine adjustment of the safety time delay with the intention of reducing it.

The coding can also be made more safe (for example by means of calculating the stopping distance with redundancy) and encrypted in order to protect more securely the exchange of information between the train and the ground and therefore to avoid a reduction in the safety time delay in case the information related to the energy balance was calculated incorrectly or transmitted by mistake or even augurs unfavourably.

A group of sub-claims also presents the advantages of the invention.

In order to describe the invention, in particular its numerous technical aspects and their advantages, some exemplary embodiments and applications are provided using the figures described:

FIG. 1 Communication system for the safe control of the route.

FIG. 2 Communication system for the safe control of the route adapted to a CBTC type automatism.

FIG. 1 presents a communication system for the safe control of a route traveled by a vehicle A running on an approach area ZA of a maneuvering area ZM for which:

-   -   the maneuvering area is preceded by a closing signal D, C, F         positioned on the ground and adapted to instruct the vehicle to         stop,     -   a control unit on the ground USOL comprises a safety time delay         TS which is calculated in order to guarantee that the vehicle         stops before it crosses the maneuvering area,     -   in parallel with the closing signal D, C, F, a request for         information RI originating from the control unit on the ground         is transmitted to a safety control unit USEMB on-board the         vehicle, preferably by a means of aerial communication,     -   the on-board safety control unit USEMB comprises (or is         connected to) an evaluation module ME of the braking capacity of         the vehicle on the basis of an energy balance related to the         kinetics of the vehicle,     -   an on-board module for decoding the request for information RI         controls a coding module (binary) MCB for required information         IR sent by the control unit on the ground USOL, then transmitted         back to the control unit on the ground USOL,     -   depending on the status (binary) of the required information IR         relating to the energy balance, the control unit on the ground         comprises a module for deciding and for redefining the safety         time delay, with the aim of minimising the latter, or even         cancelling it.

Structurally, FIG. 1 is an example of an embodiment adapted to a communication system within the framework of classic signalling on the ground comprising traffic lights F (visible by the train driver on the approach area ZA) controlled by the control unit on the ground USOL via a control signal C. The control unit on the ground USOL is itself controlled by an operator F who wishes to activate the destruction of the route (or displacement) which is possible on the maneuvering area ZM via a destruction signal D sent to the control unit on the ground USOL. In this situation, the control unit on the ground USOL activates the closure of the traffic lights F in which case the request for information RI is also sent from the control unit on the ground USOL to the on-board safety control unit USEMB. At this stage, the safety time delay TS is still, by default, set at its maximum value according to the type of train/worst case situation for required braking. The sending of the request for information RI is activated after identification of a nearing train on the approach area ZA, having taken into account a safe headway which is sufficiently long and which corresponds to the maximum value of the safety time delay TS. The driver or an on-board automatic control therefore takes immediate steps to stop the train.

The control unit on the ground USOL is then waiting for information feedback (required information RI) following the request for information RI which was initiated previously.

Several scenarios can therefore be envisaged: 1^(st) scenario: the train A responds “positively”.

Upon receipt of the request for information RI, a safety computer linked to a safety control unit USEMB on-board the train A, due to its position, assesses its energy and compares it to its braking capacity.

If the train A has the ability to stop on the approach area ZA without crossing the maneuvering area ZM, the safety computer responds positively to the control unit on the ground USOL by sending the required information IR, in other words for example, a binary 0-1 type message which may be accompanied by its operating domain and authorising or not the reduction or even cancellation of the safety time delay TS.

Upon receipt of the required information IR, the control unit on the ground USOL checks the 0/1 binary signal, and checks that the operating domain corresponds correctly to the route to be destroyed and that the train A completely guarantees that the stop signal is respected F. Thus, according to the invention, the control unit on the ground USOL therefore authorises the route destruction device D to destroy the route immediately (safety time delay TS not taken into account).

The operator F is therefore informed of the destruction of the route via a signal RES emitted by the control unit on the ground USOL.

The exchange of the request for information RI and of the required information IR between the control unit on the ground USOL and the on-board safety control unit USEMB is achieved ideally by aerial communication E, for example via radiofrequency.

2^(nd) scenario the train A responds “negatively” to the request or does not respond at all (fault relating to the train or train not equipped with an automatism or an adapted on-board safety control unit USEMB):

The route destruction device D waits for the end of the safety time delay TS (maximum by default) to physically destroy the route (=displacement on the maneuvering area ZM).

The operator F is informed of the destruction of the route via the signal RES.

FIG. 2 presents a communication system for the safe control of a route adapted to a CBTC type automatism H_CBTC interfaced between the control unit on the ground USOL and the on-board safety control unit USEMB.

The exchanges of the request for information RI and of the required information IR such as in FIG. 1 are therefore carried out here between the on-board safety control unit USEMB and the automatism H_CBTC which therefore itself commands the control unit on the ground USOL in order to activate a reduction in the safety time delay TS by means of a destruction signal DI. Conversely, a request for information related to a destruction request from an operator or from the control unit on the ground USOL will be sent to the safety control unit USEMB on-board the train via the automatism H_CBTC through the destruction signal D, then through an “extensive” destruction signal D_CBTC from the control unit on the ground USOL to the automatism H_CBTC.

In this example, the role of the automatism H_CBTC is that of train driver thus knowing all the dynamic parameters of the train and may also have data available originating from any information source relating to traffic over various areas, to signalling, etc. This is therefore highly advantageous in the case of dynamic traffic management for vehicles without a driver, in particular allowing for more strictly controlled operating areas.

Such as in FIG. 1, the operator F sends a command for the manual destruction of a route to the control unit on the ground USOL.

The control unit on the ground USOL immediately closes the stop signal F associated with the route, triggers the manual destruction device for the route via the destruction signal D (the safety time delay TS is initialised at its maximum value) and sends the current route destruction signal to the automated equipment H_CBTC on the ground via the extensive signal D_CBTC in order to be able to send the request for information RI to the on-board safety control unit USEMB.

The driver, if present, or the on-board safety control unit USEMB takes immediate steps to stop the train A.

The automatism H_CBTC on the ground therefore identifies the train A approaching the stop signal F and, by means of a ground/train link, sends the request for information RI which comprises a request to stop the train A.

The automated equipment H_CBTC on the ground then sets about waiting for a response IR to the request for information RI:

1^(st) scenario: the train A responds “positively”.

Upon receipt of the request for information RI, the safety control unit (also compatibly automated depending on the CBTC type) USEMB on-board the train A, from its location assesses its energy and compares it to its braking capacity. If the train A has the ability to stop, the on-board safety control unit USEMB responds positively to the automated equipment H_CBTC by sending the required information IR back to it, in other words, for example a binary 0-1 type message may be accompanied by its operating domain and may authorise or inhibit the reduction or even cancellation of the safety time delay TS.

Upon receipt of the message, the automated equipment H_CBTC on the ground verifies that the operating domain corresponds correctly to the route to be destroyed and that the train A ensures that stop signal F is indeed respected.

The automated equipment H_CBTC on the ground informs the control unit on the ground USOL whether the signal F has been respected (or not) by the approaching train A by means of a binary destruction signal DI.

Depending on the permissive status of the binary destruction signal DI, the control unit on the ground USOL thus authorises the route destruction device D to destroy the route immediately (cancellation of the safety time delay TS not taken into account).

The operator F is informed of the destruction of the route by the control unit on the ground USOL.

2^(nd) scenario the train A responds “negatively” to the request for information RI or does not respond at all (fault related to the train or train not equipped with an automatism or adapted on-board safety control unit USEMB).

The control unit on the ground USOL, in standby mode, waits, if necessary, until the end of the safety time delay TS to destroy the route. Thus, there may be no risk remaining of reducing the safety time delay TS “prematurely”.

The operator F is then informed of the non-destruction of the route by the control unit on the ground USOL.

The two communication systems according to FIGS. 1 and 2 thus allow for the implementation of the safety control method previously proposed in the figures.

In Summary:

-   -   depending on the status of the required information IR, the         control unit on the ground USOL cancels the safety time delay TS         if an ideally binary status of required information IR ensures         that the train A stops without crossing the maneuvering area ZM.         This is therefore a major advantage in terms of saving time for         traffic related to maneuvers or other actions of service without         specific public transport functions.     -   depending on the status of the required information IR, the         on-board safety control unit USEMB retransmits a safety command         for stopping, ideally accompanied by an operating domain to the         control unit on the ground USOL. This aerial transmission is         thus performed dynamically whilst remaining safe between the         train A and the ground.     -   the control unit on the ground USOL and the on-board safety         control unit USEMB can communicate through an automatism on the         ground H_CBTC which, at least, detects and orders the movement         of the vehicle on the approach area ZA and which communicates by         interfacing with signalling equipment (on the ground). This         therefore renders the method according to the invention flexible         and adaptable to trains equipped with automated means for which         communication and command technologies are increasingly         effective via tools which are constantly developed and improved.         Conversely, the invention is also suited to trains which are not         equipped with such automatisms, which renders the present         invention universally applicable to existing traffic networks         and destined to be updated and modernised.     -   the present method is applicable to any type of public transport         vehicle equipped with a radiofrequency transmitter/receiver and         is free from any type of rail or catenary type physical         communication link between the train and the ground. This is         facilitated because the on-board safety control unit USEMB         communicates with the equipment on the ground USOL, H_CBTC by         means of an aerial link E. The ability to create a permanent         safety link can thus be appreciated, when a vehicle chassis is         guided by none or indeed at least one, two or three rails.     -   the request for information RI and the required information IR         can be encoded using binary code so as to simplify the exchange         of information related to the invention, but also to be able to         be compatible with the activation mechanisms on the ground, like         a switch point in the maneuvering area, once the safety of this         area is ensured to be in accordance with the invention. 

1-9. (canceled)
 10. A method for safe control of a route traveled by a vehicle running on an approach area of a maneuvering area, the maneuvering area being preceded by a closing signal positioned on ground and adapted to instruct the vehicle to stop, which comprises the steps of: calculating a safety time delay via a control unit on the ground to guarantee that the vehicle stops before it crosses the maneuvering area; in parallel with the closing signal, transmitting a request for information originating from the control unit on the ground to a safety control unit on-board the vehicle; assessing, via the safety control unit, a braking capacity of the vehicle on a basis of an energy balance related to kinetics of the vehicle and a code in information required by the control unit on the ground is transmitted back to the control unit on the ground; and depending on a status of the information required relating to the energy balance, the control unit on the ground minimizes the safety time delay.
 11. The method according to claim 10, wherein according to the status of the information required, the control unit on the ground cancels the safety time delay if the status ensures that the vehicle stops without crossing the maneuvering area.
 12. The method according to claim 10, wherein according to the status of the information required, the safety control unit on-board the vehicle retransmits a safety stoppage command accompanied by an operating domain to the control unit on the ground.
 13. The method according to claim 12, wherein the control unit on the ground and the safety control unit on-board the vehicle communicate through an automatism on the ground which at least detects and commands movement of the vehicle on the approach area and which communicates by interfacing with signaling equipment.
 14. The method according to claim 10, which further comprises guiding the vehicle by at least one rail.
 15. The method according to claim 10, wherein the safety control unit on-board the vehicle communicates with equipment on the ground by means of an aerial connection.
 16. The method according to claim 10, which further comprises encoding the request for information and the information required using binary code.
 17. The method according to claim 11, which further comprises forming the status as a binary signal.
 18. A communication system for a safe control of a route traveled by a vehicle running on an approach area of a maneuvering area, the maneuvering area is preceded by a closing signal positioned on ground and adapted to instruct the vehicle to stop, the communication system comprising: a control unit on the ground containing a safety time delay calculated to guarantee that the vehicle stops before crossing the maneuvering area; a safety control unit on-board the vehicle, in parallel with the closing signal a request for information originating from said control unit on the ground is transmitted to said safety control unit on-board the vehicle, said safety control unit contains an evaluation module for evaluating a braking capacity of the vehicle on a basis of an energy balance related to kinetics of the vehicle; a coding module; an on-board decoding module for decoding the request for information which commands said coding module for required information by said control unit on the ground, then retransmits back to said control unit on the ground the required information; and depending on a status of the required information relating to the energy balance, said control unit on the ground having a module for redefining the safety time delay, and aims at minimizing the safety time delay, or cancelling it.
 19. The system according to claim 18, further comprising an automatism unit on the ground, said control unit on the ground and said safety control unit are connected by said automatism on the ground which at least detects and commands movement of the vehicle on the approach area and which communicates through an interface with signaling equipment. 